Nexo

We’re Giving out 10 BTC in Rewards until the Bitcoin Halving

Learn More
Home » News » $80M Lost in Attack on Rari Capital

$80M Lost in Attack on Rari Capital

by

Rari Capital’s Fuse lending pools were targeted this morning. 

$80M Lost in Attack on Rari Capital
Shutterstock cover by REDPIXEL.PL

Key Takeaways

  • Rari Capital and Fei Protocol have been affected today by another major exploit.
  • A hacker stole about $80 million from Rari’s Fuse lending pools early Saturday. 
  • The Fei team is offering the hacker a $10 million bounty to return the funds.

Share this article

The Fei team is offering a $10 million bounty for the safe return of the funds. 

Rari Hacker Steals $80M

The DeFi space has been hit by another major exploit. This time, Rari Capital and Fei Protocol are affected. 

On-chain data shows that a hacker stole about $80 million from Rari’s Fuse lending pools early Saturday. 

Continuing a trend seen in many other DeFi attacks over the past year, the hacker exploited what’s known as a reentrancy bug, a form of smart contract exploit that essentially allows an attacker to trick a protocol into letting them withdraw an excess supply of tokens they don’t actually own. 

Rari’s Fuse pools run on Ethereum’s sprawling DeFi ecosystem. They offer a way to create isolated lending markets for all kinds of tokenized assets, something that isn’t offered by many other larger, more liquid lending protocols. One of Fuse’s key users is Fei, another DeFi protocol that’s best known for creating the FEI stablecoin. Fei supplies FEI to Fuse’s lending markets in order to increase its liquidity and make the stablecoin more robust. Due to their close relationship, the two projects recently completed a merger. 

The Fei team took to Twitter to announce the hack shortly after it occurred, saying it had identified an exploit in its Rari Fuse pools and paused its borrowing feature. It also offered the hacker a $10 million bounty in exchange for the safe return of the funds. According to a Discord message from Fei’s Joey Santoro, a post-mortem report will follow in the near future. 

The blockchain analytics firm PeckShield also confirmed the attack in a tweet, noting that “the old reentrancy bug bites again.”

As is often the case in incidents such as this one, the attacker has already begun funneling funds through Tornado Cash, an Ethereum-based mixer that helps users preserve privacy by obfuscating their transaction history. At press time, their Ethereum wallet still contains just under 22,673 ETH worth around $63.75 million. 

DeFi Attacks Continue 

Today’s incident is only the latest in a series of multi-million dollar DeFi hacks over recent months. As Ethereum is the main hub for DeFi today, it’s become a hotbed for such attacks courtesy of Solidity-native opportunists that know how to read poorly-written code. Solidity is Ethereum’s coding language, but very few people in the world are familiar with it. That means that decent auditing can be hard to come by, and those who can audit can get away with charging a small fortune. 

Interestingly, the biggest DeFi hacks often occur on weekends, possibly because attackers believe that teams will be slower to respond and they’ll have a greater chance of getting away with the crime. Today, only a few hours after the Rari attack, Saddle Finance was hit by a similar eight-figure exploit. And on Apr. 17, Beanstalk was drained of about $76 million. DEUS Finance was also hit Thursday with the hacker making off with about $13.4 million. Though DeFi is known for its countless hacks, bad actors are increasingly targeting NFT communities like Bored Ape Yacht Club as the prices of sought-after NFTs have skyrocketed. For Web3 users, the endless wave of attacks should serve as a reminder of the risks associated with using Ethereum and still-nascent crypto technology. 

Disclosure: At the time of writing the author of this piece owned ETH and several other cryptocurrencies.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.